Privacy Policy

Effective date: 2026-06-11 · Last updated: 2026-06-11 · Tersedia dalam Bahasa Indonesia

Plain-language summary. We are a short-form drama discovery app and a saver for public clips from X. We collect your account email, your watch activity, your saved clips, and a small set of technical data needed to stream video. We do not sell your data, and at launch we do not run advertising SDKs. You can delete your account and your data by emailing support@clipdrama.id or following the steps on the Account & Data Deletion page.

1. Who we are

ClipDrama (the "Service", "we", "us") is developed and operated by the ClipDrama team, currently organised as a group of individual contributors based in Indonesia, publishing the Service on Google Play under the developer account associated with the contact email below. For the purposes of the Indonesian Personal Data Protection Law (UU No. 27/2022, "UU PDP"), ClipDrama acts as the Personal Data Controller (Pengendali Data Pribadi) for the personal data described in this policy.

References in this policy to "ClipDrama Android App" cover the unified Android application that includes both the drama discovery feature and the public X clip saver feature.

Contact for any privacy question, data request or complaint: support@clipdrama.id.

2. The laws we follow

We process personal data in accordance with the Republic of Indonesia's Personal Data Protection Law (UU No. 27 Tahun 2022, "UU PDP"). Where users are located outside Indonesia, we apply equivalent protections consistent with that law. Nothing in this policy waives rights you hold under your local data protection law.

3. What we collect, and why

The categories below are the complete list. We do not collect anything not described here.

Category	What it is	Why we need it	Legal basis (UU PDP Art. 20)
Account identifiers	Firebase user ID, email address, display name and avatar URL if you sign in with Google.	Authenticate you, link your watch history and saved clips to your account, contact you about account-related events.	Performance of contract; explicit consent given at sign-in.
Drama activity	Watchlist entries, watch history rows (drama ID, episode number, last-watched timestamp, resume position), language and content preferences.	Show your "continue watching" row, sync state across devices, personalise recommendations.	Performance of contract.
Saved X clips	The public X (Twitter) post URL you submitted, the source tweet ID, basic media metadata returned by X's public endpoints (duration, dimensions, poster).	Save and replay the clip you asked to save.	Performance of contract.
Technical streaming data	IP address, device type, operating system, app version, request timestamps. Held in transient request logs only.	Authorise stream tokens, protect the streaming proxy against abuse, debug playback issues.	Legitimate interests in operating and securing the Service.
Crash and diagnostic data	Anonymised crash stack traces and non-fatal errors reported by Firebase Crashlytics, if enabled in your build.	Diagnose and fix bugs.	Legitimate interests.

We do not collect: precise geolocation, contacts, SMS, microphone audio, camera images, calendar, health data, financial account numbers, or biometric data. We do not run advertising SDKs at launch and we do not share data with advertising networks. If we add advertising in the future, we will name the SDK partners in section 5 of this policy and notify you in-app before the change takes effect, in line with UU PDP Article 16.

4. How long we keep it

Account identifiers and drama activity: kept while your account is active. Deleted within 30 days of an account-deletion request.
Saved X clips: kept until you delete the clip or your account. Deleted within 30 days of account deletion.
Transient request logs (IP, user-agent): rotated within 14 days.
Crash diagnostics: retained for up to 90 days per the Firebase Crashlytics default.
Paid-transaction records (if applicable): where you make a paid transaction inside the app (for example, purchasing coins or unlocking premium episodes), we retain a minimum record of the transaction — date, amount, payment-processor reference and Firebase user ID — for 5 years, as required by Indonesian commercial and tax law (Law No. 8/1997 on Company Documents and OJK record-keeping rules). This record is kept even after you delete your account. It does not include payment-card details, which we never receive.
We may retain a minimum subset of data longer where required to comply with a legal obligation, resolve a dispute, or enforce our Terms of Service. Any such retention is limited to what is strictly necessary.

5. Third-party services we share with

We share personal data only with the processors strictly required to run the Service. None of these are advertising networks.

Google Firebase (Authentication, Crashlytics, App Check) — for sign-in, anti-abuse and crash reporting. Processed under Google's Data Processing and Security Terms, including the Standard Contractual Clauses (Module Two — controller to processor) for cross-border transfers.
Neon (managed PostgreSQL) — stores your account data, watchlist, history and saved clips on infrastructure located in Singapore (ap-southeast-1). Singapore's PDPA is treated as providing protection at a level adequate to UU PDP standards.

Upstream drama content providers

ClipDrama is an aggregator. When you press play on a drama, we request a streaming URL from the upstream catalog provider that supplies that title. The provider receives the drama ID and a short-lived session token; it does not receive your account email. Once a stream begins, the upstream provider's own privacy policy and terms also apply to that playback session. Our current upstream providers are:

DramaBox — operated by StoryMatrix Pte. Ltd. (Singapore). Policy: support.dramaboxdb.com/privacy.html.
Vigloo — operated by Spoonlabs, Inc. (Republic of Korea). Policy: vigloo.oopy.io/en/privacypolicy.
Pinedrama — upstream is TikTok, operated by TikTok Pte. Ltd. (Singapore). Policy: tiktok.com/legal/page/row/privacy-policy/id.
GoodShort — operated by its publisher (short-drama operator). Refer to the GoodShort app's in-app privacy notice for its processing terms.

X (Twitter) public endpoints

When you ask to save a clip, our backend fetches metadata for the public X post you submitted from X's public syndication endpoints. No account credential of yours is sent to X.

We do not sell personal data and we do not share it for cross-context behavioural advertising.

6. How we protect your data

All connections to our API use TLS 1.2+ and HSTS.
Authentication is handled by Firebase ID tokens validated server-side on every request; admin endpoints require an additional shared secret.
The streaming proxy enforces a Server-Side Request Forgery (SSRF) allowlist and a per-IP throttle.
Database access is restricted to the production application identity. No employee or contractor has standing access to user data.
Secrets and database credentials are stored in encrypted environment variables, never in source.

No system is perfectly secure. If we discover a personal-data breach that is likely to result in significant harm, we will notify affected users and the Indonesian data protection authority within 72 hours of confirmation, per UU PDP Article 46.

7. Your rights (UU PDP Articles 5–15)

You have the right to:

Request a copy of the personal data we hold about you.
Have inaccurate or out-of-date data corrected.
Request deletion of your account and personal data (see Account & Data Deletion).
Withdraw consent at any time, by deleting your account.
Object to or restrict specific processing.
Receive your data in a portable, machine-readable format.
Lodge a complaint with the Indonesian data protection authority.

We respond to verified rights requests within 30 calendar days. To file a request, email support@clipdrama.id from the email address associated with your account.

8. Children

ClipDrama is not directed at children under 13, and we do not knowingly collect personal data from children under 13. For users accessing the Service from Indonesia, you confirm that you are at least 21 years old or are otherwise married or no longer under guardianship under Indonesian law (Article 330 of the Indonesian Civil Code). If you are below the applicable age threshold, your parent or legal guardian is responsible for accepting this policy on your behalf and for your use of the Service. If you believe a child has signed up without appropriate consent, email support@clipdrama.id and we will delete the account.

9. International transfers

Our database and most processing happen in Singapore. Firebase services may process limited data in Google's regional data centres. Where we transfer personal data outside Indonesia we rely on one of the following safeguards consistent with UU PDP Article 56:

Singapore (Neon database): reliance on Singapore's Personal Data Protection Act, which provides protection at a level treated as adequate to Indonesian standards.
Google Firebase regional data centres: reliance on Google's Data Processing Terms incorporating the EU/UK Standard Contractual Clauses (Module Two — controller to processor).

10. Changes to this policy

If we change this policy in a material way we will update the "Last updated" date above and, where the change affects how we use existing data, we will surface a notice inside the app on next launch. Continued use of the Service after the effective date of the change constitutes acceptance of the updated policy.

11. Language

This Privacy Policy is published in English and Bahasa Indonesia. In the event of any inconsistency between the two versions, the English version prevails for the purpose of interpretation, except where a mandatory Indonesian-language requirement applies.

12. Contact

Data protection contact (also acts as the contact under UU PDP Art. 53):
The ClipDrama team
Email: support@clipdrama.id
Country: Indonesia